Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.21

Managing information security in the information and communication technology (ICT) supply chain

Annex A control 5.21 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 15.1.3

To effectively manage information security risks, stringent procedures must be put in place before products and services can be supplied. This is where control 5.21 comes in, acting as a preventative control to maintain supply chain risks and establish an agreed level of security.

ICT suppliers often need something instead of – or in addition to – the standard supply relationship approach. Control 5.21 fills this gap, giving organisations the power to set clear security measures and asset controls in relation to data protection.

Control 5.21 risk assessment

Control 5.21 focuses on the information and communication technology services provided by suppliers. Organisations should carefully assess any risks relating to the ICT (Information and Communication Technology) services being provided by a chosen third-party vendor.

For example, greater security measures will need to be agreed in the case of an infrastructure-critical service provider, compared to a supplier who only has access to publicly available information.

Key guidelines for control 5.21

Control 5.21 offers governance for an organisation’s supplier relationships, specifying 13 ICT-related guidance points. Many of these have been added to account for the rise in cross-platform on-premises and cloud services over the past decade. Control 5.21 covers hardware and software supply, as well as services.

The 13 guidelines in Control 5.21 are:

  1. Drafting a comprehensive set of IS standards tailored to the organisation’s specific needs. This should set clear expectations on how suppliers will conduct themselves during the contract.
  2. Ensuring suppliers are responsible for keeping contractors and personnel in the loop of the organisation’s specific IS standards.
  3. Suppliers communicating the organisation’s security requirements to any other suppliers or vendors they use.
  4. Requesting information from suppliers regarding the nature and functions of software components.
  5. Identifying and operating any service or product without compromising information security.
  6. Drafting procedures to make sure products and services delivered by suppliers are secure and comply with industry standards.
  7. Identifying and recording elements deemed essential to maintaining core functionality, especially if these components were derived from outsourced agreements.
  8. Suppliers having assurance that critical components are tracked throughout the supply chain, as part of an audit log.
  9. Seeking categorical assurance before delivering products and services, ensuring they operate without creating further risk.
  10. Ensuring the organisation understands the hardware and software components being introduced into the network, through the provision of component specifications.
  11. Obtaining assurances on the compliance of ICT products with industry standard security requirements.
  12. Ensuring that suppliers know their obligations, to protect the act of sharing data regarding mutual supply chain operations.
  13. Developing procedures to manage risk when operating with unsupported or legacy components, wherever they are located.

Changes from ISO 27001:2013

Replacing ISO 27001:2013 Annex A Control 15.1.3, 2022’s control 5.21 places a greater level of emphasis on the supplier’s duty to provide and verify component-related information at the point of supply.

This includes suppliers of IT components, providing an overview of product security features, and assurances regarding the level of security.

In line with control 5.21, organisations are also required to create additional component-specific information when introducing services and products. This includes assuring the authenticity of components and identifying key product components that contribute to core functionality.